Security vendors have been harping on the need for enterprise companies to adopt top-down risk management strategies to improve their overall security standing for several years, but experts at IBM claim that the trend is now finally taking hold.

Driven by the need to comply with a growing number of government and industry regulations, a wider swath of businesses are moving away from reactive IT security models and employing comprehensive risk management tactics, IBM officials maintain.

With the arrival of the PCI (payment card industry) data security standard and the need for nearly any company that processes credit or debit card transactions to begin revamping their security infrastructure, many more businesses are beginning to understand that they cannot defend themselves by merely buying new point products and responding to individual threats, said Chris Lovejoy, director of governance risk management strategy at IBM.

In response to the growing support of risk management planning, IBM announced Thursday that it has created a range of new product combinations and services offerings that aim to help customers tackle major elements of IT security and compliance project work in a more integrated fashion.

By offering broader integrated products and services, Lovejoy said, Big Blue can help large businesses take a more centralized, integrated approach to solving their security and compliance problems.

"What we're telling people is that they need to partner with somebody who has the capacity to handle the whole complex picture of security and compliance from a long-term perspective," Lovejoy said. "We know that companies cannot afford to keep buying widgets every time a new security or compliance issue arises. This is the model people have been working with, and it's not working from either a cost or complexity standpoint."

While the company's messaging around risk management may strike many people in the IT security community as nothing new as industry leaders such as Symantec and McAfee have rolled out similar strategies in recent years and IBM first detailed its plans to adopt a similar strategy in May, Lovejoy said that many businesses are just waking up to the concept.

Customers operating in heavily regulated industries, such as the financial services and health care markets, may be years into their enterprise risk management programs, but most companies outside of those segments have not been forced to employ the top-down approach until now, and thus haven't done so, said the expert.

Initial attempts to conform with the PCI mandate -- which is aimed at forcing companies such as retailers to do a better job of protecting their customers' sensitive personal information -- have opened the eyes of many other types of businesses to the need to utilize a unified approach to managing IT security and compliance efforts, Lovejoy said.

"PCI essentially represents a reasonable risk management framework, a more pragmatic way of looking at infrastructure and the interaction of people with data, and applying control at the right layers," Lovejoy said.

"The problem with PCI from a customer perspective is that it is challenging and expensive for a lot of companies to get up to speed, and in some cases, it's still unclear what they need to do. They're also unsure of what's coming in terms of penalties for a lack of compliance," she said. "There's definitely a lot of uncertainty out there right now, even though the initial deadlines have already passed."

Lovejoy said that smaller and mid-tier enterprises, particularly in the retail sector, are struggling to figure out where to begin making investments to comply with PCI and other security-oriented regulations. Companies in other countries that are being affected by the mandates have also fallen behind, she said.

IBM's new PCI compliance offeringsAmong the new products and services introduced by IBM on Thursday are a set of tools meant to provide end-to-end PCI compliance capabilities.

The vendor believes it has all of the necessary skills in its portfolio, from assessment services that promise to help companies understand where their greatest weaknesses lie to design and deployment offerings that address the composition of related security policies and adoption of needed technologies, to help companies fall in line with the mandate.

From a product standpoint, IBM said it has also added specific PCI compliance capabilities to its IT Governance and Risk Management tools, including an upgrade to its Proventia Network Enterprise Scanner product that includes vulnerability checks tailored to address regulation requirements.

The IBM Tivoli Compliance Insight Manager, a compliance audit and reporting package, had also added a PCI Module with report templates customized to handle the different aspects of the guideline.

Beyond the PCI-specific tools, IBM is also touting risk management capabilities engrained into its Proventia Content Analyzer package, including new data inspection capabilities built into its Proventia Network Intrusion Prevention System (IPS) products.

In addition, the company said that its IBM ISS group is partnering with security vendors, including Application Security, Fidelis Security Systems, PGP, and Verdasys, to create new data protection services. Among those offerings are Data Security Services for Activity Compliance Monitoring and Reporting, Data Security Services for Endpoint Data Protection, and Data Security Services for Enterprise Content Protection.

The services promise to address many of the areas the ISS partners target with their individual products, including applications vulnerability testing, data encryption, and information leakage prevention.

Along with expanded mainframe compliance capabilities in its z/OS and Tivoli zSecure product lines, the company also detailed a range of other data security and regulatory tools, including User Compliance Management Software, QuickStart Services for Tivoli Compliance Insight Manager, and Online Application Security and Compliance Management.

"We've been seeing the security market itself lurch form headline to headline, and customers in particular need to stop thinking about their strategy in terms of the latest crisis," said Lovejoy. "We're trying to elevate risk management above other security conversation; starting with PCI fits that mold well, because it dovetails with this concept of starting with a risk management plan."